A review on the decoy-state method for practical quantum key 

distribution 



Xiang-Bin Wang 
IMAI Quantum Computation and Information Project, 
ERATO, JST, Daini Hongo White Bldg. 201, 
5-28-3, Hongo, Bunkyo, Tokyo 133-0033, Japan 

Abstract 

We present a review on the historic development of the decoy state method, including the 
background, principles, methods, results and development. We also clarify some delicate concepts. 
Given an imperfect source and a very lossy channel, the photon-number-splitting (PNS) attack can 
make the quantum key distribution (QKD) in practice totally insecure. Given the result of ILM- 
GLLP, one knows how to distill the secure final key if he knows the fraction of tagged bits. The 
purpose of decoy state method is to do a tight verification of the the fraction of tagged bits. The 
main idea of decoy-state method is changing the intensities of source light and one can verify the 
fraction of tagged bits of certain intensity by watching the the counting rates of pulses of different 
intensities. Since the counting rates are small quantities, the effect of statistical fluctuation is very 
important. It has been shown that 3-state decoy-state method in practice can work even with the 
fluctuations and other errors. 
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I. INTRODUCTION AND BACKGROOUND 

Although many standard quantum key distribution (QKD) protocols such as BB84[lJ 
have been proven to be unconditionally secure 3> H ^ , this does not guarantee the security 
of QKD in practice, due to various types of imperfections in a practical set-up. In practical 
QKD, the source is often imperfect. Say, it may produce multi-photon pulses with a small 
probability. Normally weak coherent state is used in practical QKD. The probability of 
multi-photon pulses is around 10% among all non-vacuum pulses. On the other hand, the 
channel can be very lossy. For example, if we want to do QKD over a distance longer than 
lOOkms, the overall transmittance can be in the magnitude order of or even 10~ 4 . This 
opens a door for the Eavesdropper (Eve) by the so called photon-number-splitting (PNS) 
attack P| . 

It was then shown by Inamori, Lutkenhaus and Mayers (ILM)[7J and by Gottesman et 
al (GLLP)j^| on how to distill the secure final key even with an imperfect source, provided 
that we have a way to verify the upper bound of the fraction of tagged bits (counts caused 
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by multiphoton pulses from the source) or equivalently, the lower bound of untaggec 
(counts caused by single-photon pulses from the source). However, the ILM-GLLP 
result does not tell us how to make the verification itself. What it has presented is how to 
make the finall key given the verified results of fraction of tagged bits or fraction of untagged 
bits. Therefore, the only difficulty remained for secure QKD in practice is the verification. 
Non-trivial verification is the central issue of the decoy-state method. 

Before going into the decoy-state method, let's first recall some concepts and results of 
ILM-GLLP Q E|- 



A. Tagged bits 

Suppose in a QKD protocol, Alice is the sender and Bob is the receiver. In the standard 
protocols such as BB84 with perfect single photon source, there is no tagged bits because 
an Eavesdropper (Eve) in principle will cause errors to Bob's bits if she wants to know some 
of the bit values of Bob. However, if Alice uses an imperfect source, things will be different. 
Suppose sometimes Alice sends a multi-photon pulse. All the photons in the pulse have 
the same state. Eve can keep one photon from the pulse and sends other photons of the 
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pulse to Bob. This action will not cause errors to the bit value to bob but Eve may have 
full information about Bob's bit: After the measurement basis is announced by Alice or 
Bob, Eve will be always able to measure the photon she has kept in the correct basis. If 
Eve can know some of bit values without causing any errors, these bits are defined as tagged 
bits. Given an imperfect source, whenever Alice sends out a multi-photon pulse and Bob's 
detector counts, we assume that a tagged bit has been produced. We don't care how many 
photons the pulse may contain after it is transmitted to Bob's side. 

Remark. Bob cannot verify the tagged bits at his side by measuring the photon number in 
each comming pulses. Say, suppose he finds certain pulse contains only one photon. The 
bit caused by that pulse could be still a tagged bit because the pulse could have contained 
two photons at Alice's side. 



B. Final key distillation with a fraction of tagged bits. 

In the standard BB84 protocol with perfect single photon source, there is no tagged bits. 
To distill the final key, we need the information of bit-flip error rate t& and phase-flip rate 
t p . Based on this information we can in principle have a CSS [3] code to correct all bit- 
flip errors (error correction) and to compress any third party's information to almost zero 
(privacy amplication). In pararticular, we shall use a CSS code that consumes n r H(tb) = 
n r [—tblog2tb — (1 — tb)log 2 (l — £&)] raw bits to correct bit-flip errors and n r H(t p ) raw bits 
for the privacy amplification. Here n r is the number of raw bits. It was shown by ILM- 
GLLpjjyi that we can also distill the secure final key by a CSS code even with an imperfect 
source, if we know the bit-flip rate, phase-flip rate and upper bound value of the fraction 
of tagged bits, A. In particular we shall use a CSS code that consumes n t H(tb) raw bits 
for error correction and n r [A + (1 — A)H(-^h) for privacy amplification. This is to say, in 
a protocol with perfect single-photon source, we shall know how to distill the final key if 
we know the bit-flip rate and phase-flip rate; in a protocol with an imperfect source, we 
shall also know how to distill the final key if we know the bit-flip rate, phase-flip rate and 
A value, the upper bound of the tagged bits. Equivalently, we can also use Ai, the lower 
bound of untagged bits. It is easy to verify the bit-flip rate and phase-flip rate: Alice and 
Bob simply take some samples and announce the bit values. Asymptotically, the error rate 
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rate of the remained raw bits is equal to the error rate of those samples. However, to know a 
tight bound value of A or Ai is not so straightforward. The central task for the decoy-state 
method is to make a tight verification of A or Aj. 



II. HWANG'S IDEA AND PROTOCOL 

The first idea of decoy-state method and the first protocol is given by Hwang[9]. Hwang 
proposed to do the non-trivial verification by changing the intensity of pulses. In Hwang's 
first protocol, two intensities are used. The intensity of signal pulses is set to be around 
0.3 and the intensity of decoy-state pulses is set to be 1. By watching the counting rate of 
decoy pulses, one can deduce the upper bound of the fraction of tagged bits among all those 
signal pulses. 

For clarity, we first demonstrate why a tight verification is non-trivial. Knowing the 
photon-number distribution of the source and the channel transmittance to one coherent 
state is insufficient for a tight verification. Consider a coherent state with intensity fi. 
With the phase totally randomized, the state is a probabilistic mixture of different photon 
numbers: 

P, = e^±^\n){n\ (1) 

n=0 U - 

and |n)(n| is the Fock state of n photons. Since Alice does not know the photon number 
in each individual pulse, their knowledge about the channel transmittance is the averaged 
transmittance to the whole mixed state. However, in principle, the channel (Eve's channel) 
transmittance can be selective: it can be more transparent given a multi-photon pulse. 
Suppose the channel transmittance is rj. (Since Eve may also control Bob's detector, here rj 
is the overall transmittance for channel and detector.) It is possible that the transmittance 
for single-photon pulses is actually zero. If we use the worst-case estimation, we require 
fi < rj in order to obtain a meaningful result for the verification. In practice, if the distance 
is longer than lOOkms, it is possible that 7] value is in the magnitude order of 10~ 3 or 10~ 4 , 
then the worst-case verification doesn't work. 

Earlier, the PNS attack has been investigated where Alice and Bob monitor only how 
many non- vacuum signals arise, and how many errors happen. However, it was then shownjfj 
that the simple-minded method does not guarantee the final security. It is shown [6] that 
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in a typical parameter regime nothing changes if one starts to monitor the photon number 
statistics as Eve can adapt her strategy to reshape the photon number distribution such 
that it becomes Poissonian again. 

Remark: Here PNS attack allows any method for Eve to split the multi-photon pulses, pro- 
vided that it does not violate laws of the nature. Although some types of specific PNS attack, 
e.g., the beam-splitter attack could be detected by simple method such as tomography at 
Bob's side, a method to manage whatever type of PNS attack is strongly non-trivial. 

However, as it was first shown by Hwang[9(, by changing the intensity of pulses, one can 
make the verification unconditionally and more efficiently We now start from the classical 
statistical principle. 

Principle 1. Given a large number of independent pulses, the averaged value of any physical 
quantity per pulse in a randomly chosen subset of pulses must be (almost) equal to that 
of the remained pulses, if the number of pulses in the subset and the number of remained 
pulses is large. 

In a standard QKD protocols with perfect single-photon source, this principle is used for the 
error test: They check the error rate of a random subset, and use this as the error rate of the 
remained bits. Also, this principle can be used for estimation of other quantities, such as the 
counting rate. In the protocol, Alice sends pulses to Bob. Given a loss channel, whenever a 
pulse is sent out from Alice, Bob's detector may click may not click. If his detector clicks, a 
raw bit is generated. Counting rate is the ratio of the number of Bob's click and the number 
of pulses sent out from Alice. More specifically, if source x sends out iV pulses and Bob's 
detector clicks n x times meanwhile, the counting rate for pulses from source x is S x — ~^ ■ 
In the QKD protocol, Alice controls the source. Consider a case of a mixed source of X and 
source Y. When we say a mixed source of X and Y, we mean that each maybe from X or Y 
randomly. If these two sources produce the same state and each pulses are independent and 
the number pulses from each source is sufficiently large, then the counting rate of source X 
must be equal to that of source Y, since X and Y can be regarded as one source and pulses 
from X can be regarded as samples for testing and pulses from source Y can be regarded as 
the remained pulses. 

Principle 2. Asymptotically, given a mixed source of X and Y, Alice can verify the counting 
rate of source Y by watching counting rate of source X, if X and Y produce the same states 
and each pulses are independent. 



5 



Now we see how Hwang's original protocol^ works. For mathematical simplicity, we 
give up Hwang's original derivation which involves counting rates of each Fock states and 
complicated inequalities. We use the technique of density matrix convex and there are only 



a few parameters involved 10(] . We omit the dark count at the moment and assume that a 
vacuum pulse from Alice never causes counts at Bob's side. Consider the source state in 
equation^). The state can be re- written in the following equivalent convex form: 

p M = e^|0)(0|+^|l)(l| + cp c (2) 

and c = 1 — — fxe"^ > 0, 

oo 

Pc=-EP»0*)|n>H (3) 

C n=2 

and P n (p) = e -tj " ■ This convex form shows that the source sends out 3 types of pulses: 
sometimes sends out vacuum, sometimes sends out |1)(1|, sometimes sends pulses of state p c . 
Bob's counts caused by p c from Alice are regarded as tagged bits. Since we know explicitly 
the probability of pulses p c for our source, we shall know the fraction of tagged bits if we 
know s c , the counting rate of state p c . The counting rate of any state p is the probability 
that Bob's detector counts whenever Alice sends p. If we have another source A' which 
always produces state p c , then we can combine source A, the coherent source p M and A' . 
Say, Alice uses a mixed source of A and A'. After Alice sends out all pulses, Bob announces 
which time is counted and which time is not. Then Alice knows the counting rate of source 
A'. The counting rate of source A' is just the counting rate of all pulses p c from source A, 
asymptotically. Since Eve cannot treat the pulses from source A' and the pulses of state 
p c from source A differently. This can be understood more easily in the following way: the 
above mixed source of A and A' can be equivalently regarded as 4 sources since source A 
can be equivalently regarded as 3 sub-sources: sub-source A containing all vacuum pulses 
from A, sub-source A\ contains all single-photon pulses from A and sub-source A c contains 
all pulses of state p c . Since the states of pulses from source A' and source A c are identical, 
Eve can not treat them differently. Therefore the counting rate for pulses from source A' 
must be equal to the that of source A c . Since source A c contains all multi-photon pulses 
for source A, therefore the value s c for source A is verified by watching the counting rate of 
source A'. This is a natural consequence of Principle 2: Source A' and sub-source A c makes 
a mixed source, they each produce the same identical pulses, therefore Alice can verify the 
counting rate of sub-source A c by watching that of source A'. 



In the above toy model, we have used source A' that produces state p c deterministically. 
In practice we don't have such a source. But we have another coherent source with a different 
intensity p,' > p. We now consider a realistic mixed source: source A is the coherent source 
with intensity p, source A^i is another coherent source with intensity //. Since y! > p, the 
state for source Ap> can be written in the convex form: 

PS = e^'|0)(0| + ti'eS + c^—-p c + d Pd . (4) 

p*e i* 

The source A^i can be equivalently regarded as a mixed source which contains the 4 sub- 
sources: A^'o which contains all vacuum pulses from A^, A^i which contains all single- 
photon pulses from A^i, A^c that contains all p c pulses of source A^ and A^d that contains 
all pd pulses of source A^. Therefore the mixed source of A, A^ now contains 7 sub-sources. 
Since state from sub-source A^i c is identical to that of sub-source A c , the counting rate of 
source A^i c should be equal to that of A c , i.e., the counting rate of state p c from source A. 
If Alice knew which pulses were from sub-source Api cy she would know the value s c exactly 
therefore know the value of fraction of tagged bits explicitly for source A, and then did key 
distillation based on raw bits from source A. However, Alice had no way to know which 
pulses are from sub-source A M / C . But she know which pulses are from source A^i. We shall 
show that she can know an upper bound of the fraction of tagged bits from source A by 
watching the counting rate of source A^i. 

In the protocol, Alice can watch the (averaged) counting rate for source A^ and we 
soppose the value is S^. According to equation (J1J), we have the following equation: 

S„> = p'e ^ si + c— — -s c + ds d . (5) 
p z e p 

Here we have assumed no vacuum dark count and denoted for the counting rate for state 
Pd, i.e. for source A^d , si for counting rate of single-photon pulses, i.e., for source A^. Alice 
does not know the value of S\ or Sd but she knows the fact s\ > and Sd > 0. Therefore we 
transform eq(j5J) into an inequality for the upper bound of s c : 

Sc < , 2 — 6 

p' 2 e p 

This bound is obtained based on the observation of source A. This is the bound value for 
counting rate of sub-source A^c. This is also the bound value for state p c from any source, 
including those p c pulses from source A, since Eve cannot treat pulses of the same state 



differently according to which source the pulse is from. Therefore we have the following 
upper bound for fraction of tagged bits of source A: 

A < — — 7) 

and we have used 

A = (8) 



In the normal case that there is no Eve's attack, Alice and Bob will find Sa' / S 



\Jt! I \i in their protocol therefore they can verify A < -7^77, which is just eq.(13) of Hwang's 
work [9]. 

The above is the main result of Hwang's work. We have simplified the original derivation 
given by HwangQ. In summary, Hwang's protocol works in this way: Use the intensity 
fjf — 1 for the decoy state. By watching the counting rate of decoy state, we can obtain A 
value for the signal state (intensity /i). 

Although Hwang's result of verification has been much better than the trivial worst- 
case method, Hwang's protocol should be further improved for immediate use in practice. 
Hwang's verified result is still much larger than the true value. We want a tighter estimation. 
Remark: The security of Hwang's method is a direct consequence the separate prior art 
result of ILM-GLLP0,Q. ILM-GLLpJ?], 0] have offered methods to distill the uncondition- 
ally secure final key from raw key if the upper bound of fraction of tagged bits is known, 
given whatever imperfect source and channel. Decoy-state method verifies such an upper 
bound for coherent-state source. We can consider an analog using the model of pure water 
distillation: Our task is to distill pure water by heating from raw water that may contain 
certain poison constitute. Surppose it is known that the poison constitute will be evaporated 
in the heating. We want to know how long the heating is needed to obtain the pure water 
for certain. If we blindly heat the raw water for too long, all raw water will be evaporated 
and we obtain nothing. If we heat the raw water for a too short period, the water could 
be still poisonous. "ILM-GLLP" finds an explicit formula for the heating time which is a 
function of the upper bound of the fraction of poison constitute. They have proven that we 
(almost) always obtain pure water if we use that formula for the heating time. However, the 
formula itself does not tell how to examine the fraction of poison constitute. "Decoy-state" 
method is a method to verify a tight upper bound of the fraction of the poison constitute. It 
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is guaranteed by the classical statistical principle that the verified upper bound by "decoy- 
state method" is (always) larger than the true value. Using this analog, the next question 
is how to obtain a tighter upper bound: if the verified value over estimates too much, it is 
secure but it is inefficient. We want a way to obtain a value that is only a bit larger than 
the true value in the normal case that there is no Eve (for efficiency), and it is (almost) 
always larger than the true in whatever case (for security). This can be achieved by the 
improved decoy-state method. Here the term "(almost) always" means "with a probability 
exponentially close to 1" . 



III. IMPROVED DECOY-STATE METHOD 



The improvement is possible because Hwang's method has not sufficiently using the 
different intensities. Actually, in doing the verification, Alice has only used the counting 
rate of one intensity, the source A^. It should be interesting to consider the case that Alice 
uses more intensities. 

After Hwang's work, decoy-state method is further studied. Ref jlll] reviewed the PNS 
attack and the elementary idea of decoy-state method with some shortly-stated suggestions 
for possible improvement, but there is no conclusive result. It suggests doing the verification 
by using two intensities, vacuum and very weak coherent state. However this idea seems to 
be inefficient in practice due to the possible fluctuation of dark count 12]. Latter, a protocol 
with infinite number of intensities is proposed and the result in the infinity limit is given. 
The main result there has been published in Ref 14 1. 

Here we are most interested in a protocol that is practically efficient. Obviously, there 
should be several criterion. 1. The protocol must be clearly stated. For example, there 
should be quantitative description about the intensities used and quantitative result about 
the verification. Because we need the explicit information of intensities in the implementa- 
tion and the explicit value of A for key distillation. 2. The result of verified value A should 
be tight in the normal case when there is no Eve. This criterion is to guarantee a good final 
key rate. 3. It should only use a few different intensities. 4. It should be robust to possible 
statistical fluctuations. Say, in the non-asymptotic case, it only needs a reasonable number 
of pulses to make the verification. Note that the counting rates are very small parame- 
ters. The effects of possible statistical fluctuations can be very important. Concerning the 
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above criterion, a 3-intensity protocol is then proposed [h]]. The protocol uses 3 intensities: 
vacuum, /i and y! for the verification. For convenience, we shall always assume 

fi' > /i; //e~ M ' > iuT" (9) 

in this paper. Since we randomly change the intensities among 3 values, we can regard it as 
the mixing of 3 sources. Source A contains those vacuum pulses, A contains those pulses 
of intensity \i and source contains those pulses of intensity y! . States from source A and 
Api are given by eq.(J2J) and eq.(@J, respectively. In the protocol, they can direct watch the 
counts of each source of A , A, A^. Suppose they find S , S^, S^> for each of them. In the 
asymptotic case, we have the following equations: 

= e~^S + ye'^s + cs c (10) 

S> = e^s + y'e^sx + d ' s c + ds d (11) 

y 2 e~^ 

In the above we have used the same notations So, s\, s c in both equations. This is because 
we have assumed that the counting rates of the same state from different sources are equal. 
So is known, s\ and are unknown, but they are never less than 0. Therefore setting s^, si 
to be zero we can obtain the following crude result by using eq.(JTTJ) alone. 

cs c < " e^o - n'e-'si) . (12) 



y'*e 

However, we can tighten the verification by using eq.()10jl. Having obtained the crude results 
above, we now show that the verification can be done more sophist icatedly and one can 
further tighten the bound significantly. In the inequality (JHJ), we have dropped terms s± 
and Sd, since we only have trivial knowledge about si and s,i there, i.e., si > and > 0. 
Therefore, inequality (|12|) has no advantage at that moment. However, after we have obtained 
the crude upper bound of s c , we can have a larger-than-0 lower bound for s±, provided that 
our crude upper bound for A given by eq.(jBJ) is not too large. From eq.(J2J) we have 

e'^so + fie-^S! + cs c = S M . (13) 

With the crude upper bound for s c given by eq. © , we have the non-trivial lower bound for 
s± now: 

si > S M - e~% - cs c > 0. (14) 
10 



Therefore tight values for s c and s\ can be obtained by solving the simultaneous constraints 
of equation (|13J) and inequality (|12p. We have the following final bound after solving them: 

Here we have used eq.flBJ). In the case of so « n, if there is no Eve., S'^/S p = \i! Alice 
and Bob must be able to verify 
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= fJL (16) 
H'-li-+0 



in the protocol. This is close to the real value of fraction of multi-photon counts: 1 — e _M , 
given that rj << 1. In this 3-intensity protocol for the verification, both \x and y! can be set 
in a reasonable range therefore both of them can be used for final key distillation. Of course, 
if we also want to use source for key distillation, we need the value A', the upper bound 
of the fraction of tagged bits for source A^. Given s c , we can calculate the lower bound of 
Si through eq. ()14j) . Given s±, we can also calculate the upper bound of A', the fraction of 
multi-photon count among all counts caused by pulses from source A^/. Explicitly, 

A' < 1 - (1 - A - e -^)e^' - (17) 
The values of should be chosen in a reasonable range, e.g., from 0.2 to 0.5. 



IV. STATISTICAL FLUCTUATIONS 



The results above are only for the asymptotic case. In practice, there are statistical 
fluctuations, i.e., Eve. has non-negligibly small probability to treat the pulses from different 
sources a little bit differently, even though the pulses have the same state. Mathematically, 
this can be stated by 

s p {y') = {l + r p )s p {y) (18) 

and the real number r p is the relative statistical fluctuation for counting rate of stte p in 
different sources of pulses. It is insecure if we simply use the asymptotic result in practice. 
Since the actual values are actually different from what we have estimated from the observed 
data. Our task remained is to verify a tight upper bound of A and the probability that the 
real value of A breaks the verified upper bound is exponentially close to 0. 

11 



The counting rate of any state p from different sources now can be slightly different 
from the counting rate of the same state p from another sources, Ap, with non-negligible 
probability. We shall use the primed notation for the counting rate for any state from source 
A ^1 and the original notation for the counting rate for any state from source A. Explicitly, 
constraints (|6I14|) are now converted to 



e M s + pe M sx + cs c = S t 

fi' 2 e 



<<5& (Sp.-p'e-v'si-e-v's'u 



(19) 



Setting s' x — (1 — r x )s x for x — 1, c and s' — (1 + r )so with r x > we obtain 

A < pe^'S^/Sp - p'e» + [(//' - p)s + r lSl + r s }/Sp. (20) 



p'e" 



From this we can see, if p and p' are too close, A can be very large. The important question 
here is now whether there are reasonable values for p', p so that our method has significant 
advantage to the previous method^]. The answer is yes. 

Given N±+N 2 copies of state p, suppose the counting rate for Ni randomly chosen states is 
s p and the counting rate for the remained states is s' p , the probability that s p — s' p > S p is less 
than exp (-\5 p 2 N /s p ) and N = Min^, N 2 ). Now we consider the difference of counting 
rates for the same state from different sores, A and Api . To make a faithful estimation for 
exponentially sure, we require 8 p 2 N /s p = 100. This causes a relative fluctuation 



r -il<i(v/J_ (21) 

The probability of violation is less than e -25 . To formulate the relative fluctuation ri,r c by 
s c and Si, we only need to check the number of pulses in p c , |1)(1| in each sources in the 
protocol. That is, using eq. (|2"T| . we can replace r%, r c in eq. (fTT?|) |1)(1| in each sources in the 
protocol. That is, using eq. (}2*Tj) . we can replace r 1; r c in eq. (fTT?j) by 10e M / 2 y^-^, 10y^^, 
respectively and is the number of pulses in source A. Since we assume the case where 
vacuum-counting rate is much less than the counting rate of state pp, we omit the effect of 
fluctuation in vacuum counting, i.e., we set r = 0. With these inputs, eq.(JTHJ) can now be 
solved numerically. The results are listed in the following table. From this table we can see 
that good values of p, p! indeed exist and our verified upper bounds are sufficiently tight to 
make QKD over very lossy channel. Note that so far this is the only non-asymptotic result 
among all existing works on decoy-state. From the table we can see that our non-asymptotic 
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TABLE I: The verified upper bound of the fraction of tagged pulses in QKD. A# is the result 
from Hwang's method. Ar is the true value of the fraction of multi-photon counts in case there 
is no Eve. Ah and A^ do not change with channel transmittance. Awi is bound for pulses from 
source A, given that r\ = 1CP 3 . Aw2 and A' W2 are bound values for the pulses from source A, A^i 
respectively, given that n = 1(T 4 . We assume so = 10 6 . The number of pulses is 10 10 from source 
A, A'^ in calculating Ajyi and 8 x 10 10 in calculating A\y2i ^W2- (Ovrr results will only increase 
by 0.03 even if we only use 10 10 pulses. Act ually as we shall show it in Table 2 and 3, pretty good 
results can be obtained with only 10 10 pulses[l7j.) 4 x 10 9 vacuum pulses is sufficient for source Aq. 
The bound values will change by less than 0.01 if the value of so is 1.5 times larger. The numbers 
inside brackets are chosen values for fi'. For example, in the column of ^ = 0.25, data 30.9%(0.41) 
means, if we choose [i = 0.25, /j,' = 0.41, we can verify A < 30.9% for source A. 





0.2 


0.25 


0.3 


0.35 


A H 


44.5% 


52.9% 


60.4% 


67.0% 


A R 


18.3% 


22.2% 


25.9% 


29.5% 


A W i 


23.4%(0.34) 


28.9%(0.38) 


34.4%(0.43) 


39.9%(0.45) 


A\V2 


25.6%(0.39) 


30.9%(0.41) 


36.2%(0.45 ) 


41.5%(0.47) 





0.39 


0.41 


0.45 


0.47 


A h 


71.8% 


74.0% 


78.0% 


79.8% 


Ar 


32.3% 


33.7% 


36.2% 


37.5% 


A' 

^W2 


40.1% 


42.2% 


45.8% 


48.6 



values are less than Hwang's asymptotic values already. Our verified values are rather close 
to the true values. We have assumed the vacuum count rate sq = 10~ 6 in the calculation. 
If So is smaller, our results will be even better. Actually, the value of Sq (dark count) can 
be even lower than the assumed value here 3, Q • In the real set-up given by Gobby et 
alQ, 

the light losses a half over every 15km, the devices and detection loss is 4.5% and 
So < 8.5 x 10~ 7 . Given these parameters, we believe that our protocol works over a distance 
longer than 120km with with fi = 0.3, n! = 0.45 and a reasonable number of total pulses. In 
the table, we have chosen both values of fi, fi' in a reasonable range. Of course, our method 
and Eq. (jl5)l also work for other values of /i, fi' which are beyond the table. This shows that 
eq.((TSJ) indeed gives a rather tight upper bound. 
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V. ROBUSTNESS TO OTHER SMALL ERRORS 



We now study how robust our method is. In the protocol, we use different intensities. 
In practice, there are both statistical fluctuations and small operational errors in switching 
the intensity. We shall show that, by using the counting rates of 3 intensities, one can still 
verify tight bounds even we take all theses errors and fluctuations into consideration. 

There are small operational errors inevitably. Say, in setting the intensity of any light 
pulse, the actual intensity can be slightly different from the one we have assumed. More 
specifically, suppose the number of pulses from source A , A, A^i are N , N^, N^, respectively. 

Due to the small operational error, the intensity of light pulses in source A could be 
slightly larger than 0. This doesn't matter because a little bit over estimation on the 
vacuum count will only decrease the efficiency a little bit but not at all undermine the 
security. Therefore we don't care about the operational error of this part. Say, given no 
counts for all the pulses from source A , we then simply assume the tested vacuum counting 
rate is s = n /N , though we know that the actual value of vacuum counting rate is less 
than this. 

We shall only consider sources A^A^. First, there are statistical fluctuations to the 
states itself since the number of pulses are finite. Say, e.g., given jV M pulses of intensity /i, 
the number of vacuum, single-photon state and multi-photon state p c could be a bit different 
from the assumed values of Po(//) , Pi((J>) , P c (/-0 , respectively. The similarly deviations also 
apply to the pulses of intensity //. But the deviation should be small given that the number 
of pulses in each sources is not too small. Say, e.g., given iV M > lO 9 ,^ = 0.2, the relative 
fluctuation for the probability of state p c is less than 10 N ( 1 _ e - 1 M _ Me - M ) " < 0.2%. Besides 
this, there are operational errors. At any time Alice decides to set the intensity of the pulse 
to be fi or //, the actual intensity could be ^ or /i^, which can be a bit different from fi 
or //. Therefore we should replace P^(n) and P/j,'(n) by slightly different distributions of 
PM = ^ES^(n) = P»(l + e„) and P^n)^ P^n) =P^(n)(l + <). Base 

on these, we have the following new convex formula for the actual states of each source given 
both statistical errors of states and operational errors: 

p M = P o |0)(0| + A|l)(l| + cp c (22) 

and P ,i = P/i(0) 1); c = 1 — P — Pi- Since the new distributions are only a bit different 
from the old ones, there must exist a positive number d and a density operator p~d so that 
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the state from source is convexed by 

fa = P^\0)(0\ + P[\l)(l\ + c'p c + dp d . (23) 

This, together with the possible statistical fluctuation to counting rates gives the following 
simultaneous constraint: 

P M (0)(1 + e )s + P M (1)(1 + £l ) Sl + c(l + e c )s c = 5 M , 
^V(0)(1 + + P„(l)(l + + ^c(l + e' c K < S„ 

and c = 1 — P M (0) — P M (1); c' = c. Suppose we know the upper bounds of all values 

of \e x \, |e^,|, x = 0, 1, c, we can calculate the lower bound of Si and upper bound of s c . Say, 
we try all possible values of e x , e' x and take the worst case as the verified result. After 
calculation, we find the result does not change too much given small \e x \, \e' x \. For example, 
given that \e x \ < 2%, \e' x \ < 2% and Np = = 10 10 , JV = 4x 10 9 and S Q = 10" 6 , the 
lower bound of single-photon counting rate can be verified to be larger than 0.95§i and si 
is the lower bound of single-photon counts given e x = e' = 0. 



VI. FURTHER STUDIES 



After the major works presented in 



14 1, the decoy-state method has been further 



studied. Harrington studied the effect of fluctuation of the state itself. Ref . [17|] proposed a 
4-state protocol: using 3 of them to make optimized verification and using the other one p s 
as the main signal pulses. This is because, if we want to optimize the verification of A value, 
p, pi cannot be chosen freely. Therefore we use another intensity p s to optimize the final key 
rate. It is shown numerically on how to choose the intensity for the main signal pulses (p s ) 
and good key rates are obtained in a number of specific conditions. Ref. [18] further studied 
the 3-intensity protocol. In particular, statistical fluctuations to the bit error rates are also 
considered there and a type of stronger key rate formula is suggested there. An experiment 
was also donej^J. 



VII. SUMMARY 



In summary, we have reviewed the historic development of the decoy state method, in- 
cluding the background, development and some delicate concepts. Given an imperfect source 
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and a very lossy channel, the 
Given the result of ILM-GLLP 



>NS attack can make the QKD in practice totally insecure. 

]n 

3, 18[ , one knows how to distill the secure final key if he knows 
the fraction of tagged bits. The purpose of decoy state method is to do a tight verification 
of the the fraction of tagged bits. The main idea of decoy-state method is changing the 
intensities of source light and one can verify the fraction of tagged bits of certain intensity 
by watching the the counting rates of pulses of different intensities. Since the counting rates 
are small quantities, the effect of statistical fluctuation is very important. It has been shown 
that 3-state decoy-state method in practice can work even with the fluctuations and other 
errors. 
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